In July, the federal Office for Civil Rights issued a proposed rule that contains modifications to the privacy standards, security standards, and enforcement regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and includes changes under the Health Insurance Technology for Economic and Clinical Health (HITECH) Act. In addition, on July 29, the U.S. Department of Health and Human Services announced that final breach notification will be delayed for further consideration in light of the comments the agency received during the comment period on interim regulations that were issued in August 2009.
HHS maintains that the proposed rule is meant to strengthen HIPAA rules by expanding individuals' rights to access their health information, clarifying responsibilities of business associates of HIPAA-covered entities, and setting new limits on the use and disclosure of protected health information for marketing. HCI Managing Editor John DeGaspari recently spoke with Amy M. Gordon, a partner in the healthcare reform and HIPAA practice groups of the Chicago-based law firm McDermott Will & Emery to learn about what healthcare providers should do to make sure they comply with the regulations as they evolve.
Healthcare Informatics: Can you elaborate on the basic scope of the regulations?
Amy Gordon: HIPAA in general was enacted to protect people's health and benefit information, so that it would remain private. In the past, this had been governed by state law, and states had been all over the place. Some much more restricted than others, some with no restrictions whatsoever. What HIPAA was designed to do, from a federal perspective, was to really set a floor and make all states and all health entities comply, essentially, with at least a bare minimum of protection. HITECH enhanced the requirements a little bit further, especially with respect to the business associate agreements, and also with electronic protected health information. And then [it] also enhanced enforcement.
[The proposed regulations] are really not going to be effective until 180 days after the publication of the final rule, for which they were seeking guidance through Sept. 13, 2010. So, whether the final rule is going to make it out this year remains to be seen.
HCI: What is the general intent of the proposed regulations?
Gordon: I think what they were doing, was trying to tighten some of the reins when it came to, for example, when you contract with a business associate. When you used to contract with a business associate, it was almost like there was this black hole. The business associate would agree to certain things; the covered entity would sign off on the agreement, and then the business associate would go and use sub-contractors, or business associates of its own. And then the question was, what happens if one of those entities posts somebody's medical information on the Internet? What happens then?
ONE OF THE THINGS THAT HITECH DID WAS THAT IT RAISED THE RESPONSIBILITY OF A BUSINESS ASSOCIATE ALMOST TO THAT OF A COVERED ENTITY; BECAUSE NOW, BUSINESS ASSOCIATES ARE RESPONSIBLE FOR HAVING THEIR OWN POLICIES AND PROCEDURES.
So I think the whole intent of HITECH in general, was really to say, who is responsible for what, and who has to do what, and to delineate the responsibilities and the liabilities with having, touching protected health information.
HCI: So the intent was to clarify the rules under HITECH?
Gordon: Right. And also enhance some of the responsibilities. For example, originally HIPAA said business associates were not held to the same level of culpability that a covered entity was, that they were these outside parties that you would engage; and, even though they would have tons of contact with protected health information, their only liability really was in response to a contract entered into between the covered entity and the business associate.
And one of the things that HITECH did was that it raised the responsibility of a business associate almost to that of a covered entity; because now, business associates are responsible for having their own policies and procedures. They never had to do that before. And then, there is culpability in general, whether or not a contract makes them liable, if they misuse or mis-disclose protected health information; essentially, they [now] are as responsible as a covered entity under these new HITECH proposed rules.
HCI: Do you recommend that there be a contract between all players?
Gordon: Absolutely. Under HIPAA now, you [as a covered entity] have to have a contract with your business associate. So that contract is definitely required.
The other thing is, as you go downstream, and you have a business associate that contracts with another business associate or a subcontractor, what happens there? The rules don't necessarily require the covered entity to have a contract with those business associates or subcontractors. But it does require a business associate who is using that other business associate or subcontractor to have an agreement in place. And that is new.
One of the other things that the proposed rules do is expand the definition of what a business associate is. They expanded it also to organizations that provide data transmission services. For example, more and more insurance companies are receiving reimbursement electronically. So, there is data transmission to substantiate those bills and fees. If there is an entity involved, they would probably need a business associate agreement. And then, more with the states, for example, regional health information organizations, those are typically state-run organizations that require sending and receiving PHI [protected health information], sending and receiving them electronically. These other entities will be business associates as well.
Even though HIPAA was passed in 2004 and became effective in 2006, it really was not as focused on electronic transmission, not so much as it is now. I think they just sort of focused on the low-hanging fruit at first.
HCI: How has the protection of deceased individuals' protected health records changed under the proposed regulations?
Gordon: In the past, deceased individuals were treated just like regular individuals. Now, somebody can actually claim on their behalf; [for example] their estate can claim [their privacy rights] on their behalf. Your information still remains private even though you have died. So, for example, if you died of AIDS and you don't want your family members to know that, there is this enhanced protection. The [deceased] privacy rights have been enhanced slightly.
HCI: What are the obligations of covered entities now to provide individuals with greater access to electronically stored information now, under the proposed rules?
Gordon: You always had the right to access your protected health information. That hasn't really changed. But you always only had access to what was considered designated record set. Again, that has not changed. The change that happened with HITECH is, now you get an additional access ability when your information is maintained in an electronic, designated record set. So what you can do, in addition to getting a paper copy or just access to your file, you could request that the covered entity transmit the copy of electronic health information to you or to a designated person in an agreed upon formal format.
ONE OF THE OTHER THINGS THAT THE PROPOSED RULES DO IS EXPAND THE DEFINITION OF WHAT A BUSINESS ASSOCIATE IS. THEY EXPANDED IT ALSO TO ORGANIZATIONS THAT PROVIDE DATA TRANSMISSION SERVICES.
HCI: Let's talk about culpability and penalties.
Gordon: The past rules were insignificant. There were civil penalties of $100 per violation up to a $25,000 per violation per year. Criminal penalties were fines ranging from $50,000 and $250,000 and then present from one to 10 years, if somebody knowingly obtained and disclosed protected health information. And these new enforcement rules put things into four new categories. Before the categories were civil, criminal, that was it, and you didn't see much enforcement action.
And I would expect that you would see a lot more enforcement action now, because previously, CMS [the federal Centers for Medicare and Medicaid Services] was required to enforce HIPAA, but they didn't really have the manpower to enforce it. And there was never a private right of action on the individual. It was always, they had to go to CMS, and CMS would enforce it. Now there are new penalties, and there is also kind of a whistleblower incentive, so that if somebody actually reports somebody who has violated somebody else's privacy rights, they could actually share in some of the penalties.
The states are now charged; the state attorneys general are now charged with actually enforcing HIPAA.
HCI: The level of enforcement could be uneven.
Gordon: Yes, right. You might find that some states are a lot more aggressive and some states aren't. You could be in a state that is really an enforcement state, in which case the judge will throw the book at you; and then you could be in a state that's so lax, that you could do the same thing or something worse, and not get any penalties.
Right now, we are not seeing any enforcement, because, although they could start, they are just not [doing so]. I think that everybody is so tied up with healthcare reform that they can't even focus on this right now. But I think there will be a lot of state attorneys general who will realize this is the way to get the spotlight on people to pay attention, so you might find some more aggressive behaviors down the road.
HCI: What are the levels of culpability under the proposed rules?
Gordon: There are four levels of culpability. The first is [when] a violator didn't know and would not have known by exercising reasonable diligence about the violation, that they have violated HIPAA. And in that situation, the penalties would be at least $100 per violation, up to $25,000 per violation of the prohibition in the same plan year, but not more than $1,000 per violation, up to $100,000 per violation for the same violation in the same calendar year. So, when you think about it, that was all the old rule provided. So now the lowest level of culpability was what was previously in place. It's just going to go up from there. The second would be a violation that was due to reasonable cause, but not willful neglect, and the penalties for that are $1,000 per violation, up to $100,000 for violations of the same prohibition. And that is capped at $50,000 per violation, up to $1.5 million for violations of the same requirement in the calendar year. The third level is where somebody violated HIPAA due to willful neglect, but the violation was corrected within 30 days after the person liable for the penalty knew or should have known by exercising reasonable diligence about the violation. The lowest penalty for that is $10,000 per violation, up to $250,000, up to $50,000 per violation, but not greater than $1.5 million for violations of the same requirement. And then the final is where the violations were due to willful neglect; in that situation, the penalties were $50,000 per violation, up to $1.5 million. So, it's a lot more costly than they were.
HCI: Can you elaborate on the culpability of each entity in the chain?
Gordon: In the past, if you had a contract with a business associate and they were the ones that were committing the violation, but the covered entity did not know of the pattern of practice of the violation, then essentially the covered entity was off the hook.
But these proposed regulations remove this exception. They make a covered entity liable for civil penalties, due to a business associate or business associate's subcontractor's violation, regardless of whether there was a compliant contract in place or whether the covered entity knew of the violation or acted appropriately in response to the violation.
So, it's almost like a strict liability standard imposed on covered entities, whether they knew or should have known, they are still going to be culpable for the actions of their business associates. That enforces my original point, which is, you better make sure that there is good indemnification language. Because if the covered entity is supposed to know or should have known, then they are going to want to get back any kind of financial penalties that they would be responsible to pay.
YOU BETTER MAKE SURE THAT THERE IS GOOD INDEMNIFICATION LANGUAGE. BECAUSE IF THE COVERED ENTITY IS SUPPOSED TO KNOW OR SHOULD HAVE KNOWN, THEN THEY ARE GOING TO WANT TO GET BACK ANY KIND OF FINANCIAL PENALTIES THAT THEY WOULD BE RESPONSIBLE TO PAY.
[Covered entities] have to pay attention to the actions of their business associates. Again, in the past, you could always hide behind a compliant contract, and say, I can just go on, do business as usual and expect that, because my business associate has a compliant contract in place, they are going to do the right thing. But now there is almost this enhanced liability on the part of a covered entity, that they have to be responsible for all of the bad acts of their business associates, whether they know or should have known that they were occurring. Which seems like an awfully high standard, and I would hope that they would pull back a little bit on that. That is an unfair standard, and I agree.
I think the other thing that is important is, because these penalties are so high, you'd want to make sure that whoever you are contracting with is a pretty renowned and well-capitalized entity. Some of these mom and pop entities might not be able to weather the storm, if they are assessed these penalties. In which case they go out of business and your indemnification is only as good as somebody being able to pay.
HCI: How have the proposed regulations changed Notice of Privacy practices?
Gordon: One of the major things is that if there is some sort of disclosure that requires an authorization, that that would be described in the privacy notice. For example, if you wanted access to psychotherapy notes, like I mentioned earlier, marketing, or anything like that, you'd have to say in the privacy notes. That signed authorization must be provided prior to disclosure.
The other thing that the HITECH regulations address and that has to also be addressed in the privacy notice, is when you are selling protected health information [PHI]. For example, say a doctor lets a pharmaceutical company know that 20 of its patients are diabetic. The pharmaceutical company really wants to market those people with their new and improved insulin, so the doctor sends the patients an update saying, don't forget, you need to refill your prescription for insulin.
In the past, that all went under the radar screen, because everybody thought, that's just care, and a doctor being diligent about telling a patient that they need to refill their prescription. And, that actually got a little bit more attention and people are saying, not so fast, the doctors aren't only necessarily looking out only for their patient's best interest here; the pharmaceutical companies are also paying that doctor to remind them to refill their prescription, because in doing so, they actually buy the pharmaceutical company's drugs.
So now, one of the things that a provider has to put in their privacy notice, is a statement that says that I am reimbursed or am receiving money for these communications, and also allow people to opt out of receiving those communications.
HCI: What's behind the delay in the data breach notification regulations?
Gordon: I thought that the breach notification requirements were pretty extensive. I don't know if somebody is lobbying for something more to be thrown in there. I don't know if they just started thinking, well, healthcare is really costing people millions of dollars in complying with the healthcare reform; is there any way we can delay this, and take some of the burden off these companies that are going through the cost of complying with healthcare reform? It is a kind of mystery, but I don't think it is going to be repealed.
HCI: Is there anything that hospital CIOs can do to prepare themselves now for compliance?
Gordon: I think that getting your privacy policies up to date, doing an assessment on who are your business associates and making sure that, if you have existing contracts, that they are up to date and protective. If you don't have contracts in place, definitely get those contracts in place.
And then systems, just taking a good systems review, because you have this whole breach notice requirement, assuming when it does come back onto the plate. You do have to make sure that, if there is a breach, that there is a process in place that you can notify. So the better system protections you have, [such as] a close-knit IT system, you would prevent many unnecessary breaches from happening and therefore having to go through that whole rigorous notice provision.
Healthcare Informatics 2011 February;28(2):56-62